Table Of ContentSourcefire
SSL Appliance 1500
Administration & Deployment Guide
Software version: 3.7.1
Document Revision 04/01/2014
Legal Notices
Cisco, the Cisco logo, Sourcefire, the Sourcefire logo, Snort, the Snort and Pig logo, and certain other trademarks and
logos are trademarks or registered trademarks of Cisco and/or its affiliates in the United States and other countries.
To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks men-
tioned are the property of their respective owners. The use of the word partner does not imply a partnership relation-
ship between Cisco and any other company.
The legal notices, disclaimers, terms of use, and other information contained herein (the "terms") apply only to the
information discussed in this documentation (the "Documentation") and your use of it. These terms do not apply to
or govern the use of websites controlled by Cisco or its subsidiaries (collectively, "Cisco") or any Sourcefire-provided
or Cisco-provided products. Sourcefire and Cisco products are available for purchase and subject to a separate li-
cense agreement and/or terms of use containing very different terms and conditions.
The copyright in the Documentation is owned by Cisco and is protected by copyright and other intellectual property
laws of the United States and other countries. You may use, print out, save on a retrieval system, and otherwise copy
and distribute the Documentation solely for non-commercial use, provided that you (i) do not modify the
Documentation in any way and (ii) always include Cisco’s copyright, trademark, and other proprietary notices, as
well as a link to, or print out of, the full contents of this page and its terms.
No part of the Documentation may be used in a compilation or otherwise incorporated into another work or with or
into any other documentation or user manuals, or be used to create derivative works, without the express prior
written permission of Cisco. Cisco reserves the right to change the terms at any time, and your continued use of the
Documentation shall be deemed an acceptance of those terms.
© 2004 - 2014 Cisco and/or its affiliates. All rights reserved.
Disclaimers
THE DOCUMENTATION AND ANY INFORMATION AVAILABLE FROM IT MAY INCLUDE INACCURACIES
OR TYPOGRAPHICAL ERRORS. CISCO MAY CHANGE THE DOCUMENTATION FROM TIME TO TIME. CISCO
MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE ACCURACY OR SUITABILITY OF ANY CIS-
CO-CONTROLLED WEBSITE, THE DOCUMENTATION AND/OR ANY PRODUCT INFORMATION. CIS-
CO-CONTROLLED WEBSITES, THE DOCUMENTATION AND ALL PRODUCT INFORMATION ARE PROVIDED
"AS IS" AND CISCO DISCLAIMS ANY AND ALL EXPRESS AND IMPLIED WARRANTIES, INCLUDING BUT
NOT LIMITED TO WARRANTIES OF TITLE AND THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND/OR FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL CISCO BE LIABLE TO YOU FOR ANY
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, PUNITIVE, OR CONSEQUENTIAL DAMAGES (IN-
CLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, LOSS OF DATA,
LOSS OF PROFITS, AND/OR BUSINESS INTERRUPTIONS), ARISING OUT OF OR IN ANY WAY RELATED TO
CISCO-CONTROLLED WEBSITES OR THE DOCUMENTATION, NO MATTER HOW CAUSED AND/OR
WHETHER BASED ON CONTRACT, STRICT LIABILITY, NEGLIGENCE OR OTHER TORTUOUS ACTIVITY, OR
ANY OTHER THEORY OF LIABILITY, EVEN IF CISCO IS ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
BECAUSE SOME STATES/JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY
FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES, THE ABOVE LIMITATIONS MAY NOT APPLY TO YOU.
Administration and Deployment Guide
Contents
1. Introduction.......................................................................................................................11
1.1 SSL Inspection Overview.........................................................................................11
1.2 Product Overview....................................................................................................12
1.3 Key Features...........................................................................................................14
1.4 Product Specifications.............................................................................................15
1.5 Product Checklist.....................................................................................................16
2. System Behavior & Deployment Examples.......................................................................17
2.1 Transparent SSL Decryption / Encryption................................................................17
2.2 SSL Decryption Methods.........................................................................................18
2.2.1 Known Server Key Method........................................................................18
2.2.2 Certificate Re-Signing Method...................................................................20
2.2.3 Self-Signed Server Certificate Handling.....................................................22
2.2.4 Decryption Methods in Cooperative Configurations...................................22
2.2.5 Marking SSL Plaintext................................................................................23
2.3 Deployment Modes..................................................................................................24
2.3.1 Passive-Tap Mode.....................................................................................25
2.3.2 Passive-Inline Mode...................................................................................27
2.3.3 Active-Inline Mode.....................................................................................28
2.4 Policies....................................................................................................................30
2.4.1 Segment Policies.......................................................................................30
2.4.2 Ruleset Policies.........................................................................................31
2.4.3 Lists...........................................................................................................38
2.4.4 Reset Generation.......................................................................................39
2.5 Failure Modes and High Availability.........................................................................40
2.5.1 Link Failures..............................................................................................40
2.5.2 Software (data-plane) Failures...................................................................41
2.6 Example Deployment Configurations.......................................................................42
2.6.1 Outbound Inspection..................................................................................42
2.6.2 Inbound Inspection.....................................................................................43
2.6.3 Inbound and Outbound Inspection.............................................................44
2.6.4 High Availability Deployment......................................................................44
3. Physical Installation..........................................................................................................46
3.1 Safety Information...................................................................................................46
3.2 Requirements Checklist...........................................................................................46
3.3 Rack Mounting.........................................................................................................46
3.4 Back Panel..............................................................................................................47
3.5 Front Panel..............................................................................................................48
3.6 Connecting to the Network......................................................................................49
4. Initial Configuration and Setup..........................................................................................51
4.1 Bootstrap Phase......................................................................................................51
4.1.1 Configuring Static IP Address for Management..........................................52
4.1.2 Password Entry..........................................................................................54
4.1.3 Installation Process....................................................................................57
4.2 Network Connections...............................................................................................59
4.3 Post Bootstrap Configuration...................................................................................59
4.3.1 Configuring System Date/Time and Timezone...........................................60
© 2014 Cisco and/or its affiliates.
All ri ghts reserved. This document is Cisco Public. iii
Administration and Deployment Guide
4.3.2 Configuring Management Network Settings...............................................62
4.3.3 Configuring Management Users................................................................63
4.3.4 Licensing ...................................................................................................64
4.3.5 System Status............................................................................................66
4.4 Installing a CA for Certificate Re-sign......................................................................67
4.4.1 Creating a CA............................................................................................67
4.4.2 Importing a CA...........................................................................................69
4.5 Importing Known Server Keys.................................................................................69
4.6 Example Passive-Tap Mode Inspection...................................................................71
4.7 Example Passive-Inline Mode Inspection................................................................79
4.8 Example Active-Inline Mode Inspection...................................................................83
5. Web-Based Management Interface (WebUI)....................................................................86
5.1 Introduction..............................................................................................................86
5.1.1 Browser Configuration...............................................................................86
5.1.2 Login Process............................................................................................87
5.1.3 Screen Layout Explained...........................................................................88
5.2 Monitoring the System.............................................................................................90
5.2.1 Dashboard.................................................................................................90
5.2.2 System Log................................................................................................92
5.2.3 SSL Session Log.......................................................................................93
5.2.4 SSL Statistics.............................................................................................94
5.2.5 Certificates.................................................................................................95
5.2.6 Errors.........................................................................................................96
5.2.7 Diagnostics................................................................................................96
5.2.8 Debug........................................................................................................97
5.3 Configuring Segments and Policies.........................................................................98
5.3.1 Rulesets.....................................................................................................99
5.3.2 Segments.................................................................................................102
5.3.3 Subject/Domain Names List.....................................................................105
5.3.4 Domain Names List..................................................................................107
5.3.5 IP Address Lists.......................................................................................108
5.3.6 Cipher Suites List.....................................................................................108
5.3.7 Host Categorization Lists.........................................................................109
5.4 PKI Management...................................................................................................115
5.4.1 Internal Certificate Authorities..................................................................115
5.4.2 External Certificate Authorities.................................................................116
5.4.3 Certificate Revocation Lists......................................................................117
5.4.4 Trusted Certificates..................................................................................118
5.4.5 Known Certificates and Keys...................................................................118
5.5 Platform Management............................................................................................119
5.5.1 Information...............................................................................................120
5.5.2 Management Network..............................................................................120
5.5.3 Remote Logging.......................................................................................121
5.5.4 Date/Time................................................................................................122
5.5.5 Users.......................................................................................................123
5.5.6 TACACS Servers.....................................................................................123
5.5.7 Alerts.......................................................................................................125
5.5.8 License....................................................................................................127
5.5.9 Backup/Restore.......................................................................................128
5.5.10 Halt/Reboot..............................................................................................128
iv © 2014 Cisco and/or its affiliates.
Al l rights reserved. This document is Cisco Public.
Administration and Deployment Guide
5.5.11 Import UI Certificate/Key..........................................................................129
5.5.12 Update.....................................................................................................129
5.5.13 Preferences.............................................................................................130
5.6 User Management.................................................................................................130
5.6.1 Change Password....................................................................................131
5.6.2 Logout......................................................................................................131
6. Troubleshooting the System...........................................................................................132
6.1 Supported Network Protocols and Frame Encapsulations.....................................132
6.2 Supported SSL/TLS versions.................................................................................132
6.3 Support for Client Certificates................................................................................132
6.4 Supported Cipher Suites........................................................................................133
6.5 Support for SSL Record Layer Compression.........................................................135
6.6 Support for Stateless Session Resumption (RFC5077).........................................135
6.7 Steps to Troubleshoot SSL Decryption..................................................................136
6.7.1 Monitor Network Port Statistics................................................................136
6.7.2 Monitor the SSL Statistics........................................................................136
6.7.3 Monitor the SSL Session Log...................................................................136
6.7.4 Verify that the Inspection Policy is set up correctly...................................136
6.8 Known Server vs Trusted Server Certificates........................................................136
6.9 Caveats when Enabling/Disabling SSL Inspection.................................................137
6.10 Generating the Internal CA Certificates..................................................................137
6.11 Access to Microsoft Windows Update Denied.......................................................137
6.12 Issues with Alerts...................................................................................................138
6.13 Procedure for Reporting an Issue..........................................................................138
6.14 Preparing for Hardware Diagnostics or Maintenance.............................................138
6.15 Command Line Diagnostics Interface....................................................................138
7. Safety Information...........................................................................................................141
7.1 Safety Instructions.................................................................................................141
7.2 Rack Mounting the Equipment...............................................................................141
8. Technical Support...........................................................................................................142
© 2014 Cisco and/or its affiliates.
All ri ghts reserved. This document is Cisco Public. v
Administration and Deployment Guide
List of Figures
Figure 2.1: Known Server Key Decryption Method - Passive-Tap mode....................................19
Figure 2.2: Known Server Key Decryption Method - Passive-Inline mode.................................20
Figure 2.3: Certificate Re-sign Decryption Method - Passive-Inline mode..................................21
Figure 2.4: Certificate Re-sign Decryption Method in a Cooperative Deployment......................23
Figure 2.5: PT-sym.....................................................................................................................25
Figure 2.6: PT-sym-ag2.............................................................................................................25
Figure 2.7: PT-sym-ag3.............................................................................................................25
Figure 2.8: Copy options for symmetric PT mode......................................................................26
Figure 2.9: PT-asym...................................................................................................................26
Figure 2.10: Copy options for asymmetric PT mode..................................................................26
Figure 2.11: PI-sym....................................................................................................................27
Figure 2.12: Copy options for symmetric PI mode.....................................................................27
Figure 2.13: PI-asym..................................................................................................................28
Figure 2.14: Copy options for asymmetric PI mode...................................................................28
Figure 2.15: AI-sym FTA............................................................................................................29
Figure 2.16: AI-sym FTN............................................................................................................29
Figure 2.17: Copy modes for Active-Inline with symmetric traffic...............................................29
Figure 2.18: AI-asym FTN..........................................................................................................29
Figure 2.19: AI-asym FTA..........................................................................................................29
Figure 2.20: Outbound monitoring with Network Forensic Appliance.........................................43
Figure 2.21: Inbound Monitoring with IDS and Application Performance Monitor.......................43
Figure 2.22: Inbound and Outbound Inspection with IPS and Network Forensic Appliances.....44
Figure 2.23: High Availability Deployment..................................................................................45
Figure 3.1: SSL1500 Rear Panel I/O..........................................................................................47
Figure 3.2: SSL1500 Front Panel Controls................................................................................48
Figure 3.3: SSL1500-C Copper Interface LEDs.........................................................................49
Figure 3.4: SSL1500-F Fiber Interface LEDs.............................................................................50
Figure 4.1: Default LCD Display.................................................................................................52
Figure 4.2: Top Level IP Address Configuration screen..............................................................52
Figure 4.3: Configurable IP Address Options screen..................................................................53
Figure 4.4: Initial configuration screen for IP address................................................................53
Figure 4.5: Editing IP address screen........................................................................................53
Figure 4.6: IP Address editing screen showing change..............................................................53
Figure 4.7: Apply command to change static IP address............................................................54
Figure 4.8: PIN Entry - Menu 1 - select upper or lower case......................................................55
Figure 4.9: PIN Entry - Menu 2 - character group selection.......................................................55
Figure 4.10: PIN Entry - Menu 3 - character sub group selection...............................................55
Figure 4.11: PIN Entry - Menu 4 - character selection................................................................55
Figure 4.12: PIN Entry - First character entered.........................................................................56
Figure 4.13: Pin Entry - Menu 2 - character group selection......................................................56
Figure 4.14: PIN Entry - Menu 3 - character sub group selection...............................................56
Figure 4.15: PIN Entry - Menu 4 - character selection ...............................................................56
Figure 4.16: PIN Entry - Menu 4 – Next Character.....................................................................56
Figure 4.17: PIN Entry - Menu1 - space entered........................................................................57
Figure 4.18: PIN Entry - Menu1 - showing complete password entered.....................................57
vi © 2014 Cisco and/or its affiliates.
Al l rights reserved. This document is Cisco Public.
Administration and Deployment Guide
Figure 4.19: Bootstrap Master Key Mode selection box.............................................................57
Figure 4.20: Bootstrap User Setup box......................................................................................58
Figure 4.21: Login box on initial access screen..........................................................................59
Figure 4.22: Status Information on initial login screen................................................................59
Figure 4.23: Management Standard Features............................................................................60
Figure 4.24: Date and Time configuration box............................................................................60
Figure 4.25: Time Settings screen with reboot button................................................................61
Figure 4.26: Management Network Settings..............................................................................62
Figure 4.27: Edit Management network settings -Apply.............................................................63
Figure 4.28: Current Users configured in the system display.....................................................63
Figure 4.29: Add User................................................................................................................64
Figure 4.30: User Password change box...................................................................................64
Figure 4.31: Management Dashboard screen............................................................................66
Figure 4.32: Internal Certificate Authority screen with no entries................................................67
Figure 4.33: Generate Internal Certificate Authority input box....................................................67
Figure 4.34: Internal Certificate Authority Certificate Signing Request.......................................68
Figure 4.35: Internal Certificate Authority with CSR entry..........................................................69
Figure 4.36: Internal Certificate Authority - import box...............................................................69
Figure 4.37: Known Certificate with Keys Display......................................................................70
Figure 4.38: Known Certificate with Keys Import box.................................................................70
Figure 4.39: Known Certificate and Keys display with entries....................................................71
Figure 4.40: Adding a Ruleset....................................................................................................71
Figure 4.41: Add rule to cut through using Known Server Key/Certificate.................................72
Figure 4.42: Segment display when no segments have been created.......................................73
Figure 4.43: Add Segment box...................................................................................................73
Figure 4.44: Selecting Mode of operation for a Segment...........................................................74
Figure 4.45: Passive-Tap example Segment configuration........................................................75
Figure 4.46: Passive-Tap Segment options and activation.........................................................76
Figure 4.47: Activating a passive-tap segment - step one..........................................................77
Figure 4.48: Activating a passive-tap segment - step two..........................................................77
Figure 4.49: Activating a passive-tap segment - final step.........................................................78
Figure 4.50: Passive-Tap Segment activated.............................................................................78
Figure 4.51: Passive-Inline Ruleset creation..............................................................................79
Figure 4.52: List of Subject/Domain Names...............................................................................79
Figure 4.53: Rule to inspect using Certificate re-sign and a DN list............................................80
Figure 4.54: Passive-Inline ruleset with two rules defined..........................................................81
Figure 4.55: Passive-Inline segment configuration.....................................................................82
Figure 4.56: Passive-Inline segment active................................................................................82
Figure 4.57: Creation of a custom list of Known Server Keys/Certificates..................................83
Figure 4.58: Adding entries to a custom list...............................................................................84
Figure 4.59: Active-Inline ruleset................................................................................................84
Figure 4.60: Active-Inline segment configuration........................................................................85
Figure 5.1: Warning from Chrome browser................................................................................86
Figure 5.2: Warning from Firefox browser..................................................................................87
Figure 5.3: SSL1500 Login Box.................................................................................................87
Figure 5.4: Management screen basic layout.............................................................................88
Figure 5.5: Example Information Display Panel.........................................................................88
Figure 5.6: Example Configuration Edit Panel............................................................................89
Figure 5.7: Example of linked panels.........................................................................................89
Figure 5.8: Monitor Menu Options..............................................................................................90
© 2014 Cisco and/or its affiliates.
All ri ghts reserved. This document is Cisco Public. vii
Administration and Deployment Guide
Figure 5.9: System panel for an SSL1500 device......................................................................90
Figure 5.10: Dashboard Segment Status Panel.........................................................................91
Figure 5.11: Dashboard Network Interfaces...............................................................................91
Figure 5.12: Dashboard CPU Load %........................................................................................91
Figure 5.13: Dashboard Fan Speed (RPM)................................................................................91
Figure 5.14: Dashboard Temperatures (Degrees °C).................................................................92
Figure 5.15: Dashboard Utilization %.........................................................................................92
Figure 5.16: Dashboard System Log..........................................................................................92
Figure 5.17: System Log panel..................................................................................................92
Figure 5.18: Filter on Process box.............................................................................................92
Figure 5.19: Session Log panel.................................................................................................93
Figure 5.20: Session Log Export box.........................................................................................93
Figure 5.21: SSL Session detailed information..........................................................................94
Figure 5.22: SSL Statistics.........................................................................................................95
Figure 5.23: Invalid Certificates panel........................................................................................95
Figure 5.24: Invalid Certificates panel showing Self-Signed Certificate Details..........................96
Figure 5.25: SSL Error Counts panel.........................................................................................96
Figure 5.26: Diagnostics box......................................................................................................97
Figure 5.27: Debug NFE Network Statistics 1............................................................................97
Figure 5.28: Debug NFE Network Statistics 2............................................................................97
Figure 5.29: Debug NFE Network Statistics 3............................................................................98
Figure 5.30: Policies Menu Options...........................................................................................98
Figure 5.31: Rulesets box..........................................................................................................99
Figure 5.32: Rulesets Clone box................................................................................................99
Figure 5.33: Ruleset Option panel...........................................................................................100
Figure 5.34: Ruleset Options Edit box......................................................................................100
Figure 5.35: Insert Rule box.....................................................................................................101
Figure 5.36: Rules table showing why position is important.....................................................102
Figure 5.37: Segment graphic for an SSL1500 device.............................................................102
Figure 5.38: Segment System Options panel...........................................................................102
Figure 5.39: Segment Undecryptable Actions panel................................................................103
Figure 5.40: Certificate Status Actions panel............................................................................103
Figure 5.41: Edit Certificate Status Actions..............................................................................104
Figure 5.42: Edit Plaintext Marker box.....................................................................................104
Figure 5.43: Segment Failure Mode Options............................................................................105
Figure 5.44 Subject/Domain Names list for Unsupported Sites...............................................106
Figure 5.45 Add a Subject/Domain Name to a List..................................................................106
Figure 5.46 Examples of Subject/Domain Names Formats.....................................................107
Figure 5.47: Common Names Lists..........................................................................................107
Figure 5.48 Add a New Domain Name....................................................................................107
Figure 5.49: IP Addresses........................................................................................................108
Figure 5.50: Adding a Cipher Suite to a Cipher Suites List.......................................................109
Figure 5.51: Examples of different Cipher Suite formats..........................................................109
Figure 5.52 Host Categorizations ...........................................................................................110
Figure 5.53: Edit Host Categorization Settings ........................................................................111
Figure 5.54 Host List with its Categorizations..........................................................................112
Figure 5.55: Edit Host Categories ..........................................................................................113
Figure 5.56: PKI Menu options.................................................................................................115
Figure 5.57: Creating a custom External Certificate Authorities List.........................................116
Figure 5.58: Import CRL box....................................................................................................117
viii © 2014 Cisco and/or its affiliates.
Al l rights reserved. This document is Cisco Public.
Administration and Deployment Guide
Figure 5.59: Platform Management Menu................................................................................119
Figure 5.60: Platform Information - Software Version and Chassis Data..................................120
Figure 5.61: Management Network Panel with Edit Settings....................................................121
Figure 5.62: Panel to configure Remote Logging.....................................................................122
Figure 5.63: Date/Time panel...................................................................................................122
Figure 5.64: Managing User Accounts on the system..............................................................123
Figure 5.65: TACACS Servers panel........................................................................................123
Figure 5.66: WebUI Login box when TACACS is in use...........................................................124
Figure 5.67: TACACS Server configuration box.......................................................................124
Figure 5.68: Email Configuration for Alert System....................................................................125
Figure 5.69: Add Alert to system..............................................................................................126
Figure 5.70 Add a New License..............................................................................................127
Figure 5.71: Backup dialog box................................................................................................128
Figure 5.72: Restore dialog box...............................................................................................128
Figure 5.73: Halt/Reboot Option..............................................................................................128
Figure 5.74: Import Certificate for WebUI.................................................................................129
Figure 5.75: Update to System option......................................................................................129
Figure 5.76: Preference for WebUI layout with Edit Window....................................................130
Figure 5.77: User Menu...........................................................................................................130
Figure 5.78: Change Password box.........................................................................................131
© 2014 Cisco and/or its affiliates.
All ri ghts reserved. This document is Cisco Public. ix
Administration and Deployment Guide
List of Tables
Table 1: SSL1500 Specification.................................................................................................15
Table 2: SSL1500 Packing List..................................................................................................16
Table 3: Segment Policy Options...............................................................................................31
Table 4: Ruleset Policy Options.................................................................................................32
Table 5: Actions that can be specified in a rule...........................................................................33
Table 6: Decrypt with known certificate and key rule format.......................................................33
Table 7: Decrypt using key replacement format.........................................................................34
Table 8: Decrypt using replacement of key and certificate format..............................................35
Table 9: Decrypt using Certificate Re-sign format......................................................................36
Table 10: Decrypt Anonymous Diffie-Hellman format................................................................37
Table 11: Rules that don't involve decryption format..................................................................38
Table 12: List Types and Contents.............................................................................................38
Table 13: SSL1500 Back Panel Components.............................................................................47
Table 14: SSL1500 Serial Port Pin Out......................................................................................47
Table 15: SSL1500 Power Supply LED Status Indicators..........................................................48
Table 16: SSL1500 Front Panel Components............................................................................48
Table 17: SSL1500 system status indicator meaning.................................................................49
Table 18: SSL1500-C Copper Interface LED States..................................................................50
Table 19: SSL1500 Copper Interface FTW LED States..............................................................50
Table 20: Keypad Layout...........................................................................................................51
Table 21: SSL1500 Power On Key Sequences..........................................................................51
Table 22 TACACS Levels to User Roles.................................................................................125
Table 23: Supported Cipher Suites...........................................................................................135
x © 2014 Cisco and/or its affiliates.
Al l rights reserved. This document is Cisco Public.
Description:Legal Notices. Cisco, the Cisco logo, Sourcefire, the Sourcefire logo, Snort, the Snort and Pig logo, and certain other trademarks and logos are trademarks or registered trademarks of Cisco and/or its affiliates in the United States and other countries. To view a list of Cisco trademarks, go to thi
